SM&CR Responsibilities: What Senior Managers and Certified Staff Must Know

What It Is

The Senior Managers and Certification Regime (SM&CR) is the FCA's individual accountability framework for regulated firms. It replaced the Approved Persons Regime in stages between 2016 and 2019 and now applies to virtually all solo-regulated firms as well as dual-regulated firms supervised by the FCA and PRA.

SM&CR has three components. The Senior Managers Regime requires firms to identify individuals who hold Senior Management Functions (SMFs) and obtain FCA approval before those individuals take up their roles. Each Senior Manager must have a Statement of Responsibilities that clearly sets out what they are responsible and accountable for. The Certification Regime requires firms to identify staff who perform functions that could cause significant harm to the firm or its customers, assess their fitness and propriety, and issue annual certificates. The Conduct Rules apply to almost all staff — not just senior managers and certified persons — and set basic standards of behaviour including acting with integrity, due skill and care, and treating customers fairly.

The centrepiece of SM&CR is the duty of responsibility: a Senior Manager can be held personally liable for a regulatory contravention that occurs in their area of responsibility unless they can demonstrate they took reasonable steps to prevent it. This reversal of the burden of proof — from regulator to individual — was a deliberate response to the 2008 financial crisis, where the FCA struggled to hold senior individuals accountable.

Why the FCA Cares

SM&CR exists because the FCA concluded, after the financial crisis and a series of major scandals, that it could not effectively regulate firms without being able to hold individuals accountable. Under the old Approved Persons Regime, responsibility was often so diffuse that no single person could be held to account for failures.

The FCA uses SM&CR as an accountability infrastructure. When things go wrong — whether a compliance failure, a conduct breach, or a customer harm event — the regulator can trace responsibility to a named Senior Manager and ask: what did you know, what did you do, and can you evidence reasonable steps?

SM&CR also serves a preventative function. The FCA's theory is that individuals who know they are personally accountable will govern more carefully, challenge more rigorously, and invest more in compliance and risk management. The regime is designed to change behaviour, not just enable enforcement.

The FCA has taken enforcement action under SM&CR and has signalled that it will continue to do so. Recent cases have focused on inadequate oversight of compliance functions, failure to manage conflicts of interest, and insufficient challenge of management information. The regulator has also used SM&CR to prohibit individuals from the industry, demonstrating that the regime has real consequences.

Who It Affects

SM&CR applies to all FCA solo-regulated firms, with the scope and complexity of requirements varying by firm category. Firms are classified as either core or enhanced.

Core firms — the majority of smaller firms including most IFAs, insurance brokers, consumer credit firms, and payment services firms — must identify and obtain approval for a minimum set of SMFs (typically SMF1 CEO equivalent, SMF3 Executive Director, SMF16 Compliance Oversight, SMF17 Money Laundering Reporting Officer). They must allocate prescribed responsibilities, identify certification functions, and apply the conduct rules to all staff.

Enhanced firms — typically larger or more complex firms meeting specified criteria around revenue, assets under management, or number of approved persons — face additional requirements including a comprehensive responsibilities map, additional prescribed responsibilities, and more detailed Statements of Responsibilities.

Appointed representatives are not directly subject to SM&CR, but their principals must ensure that oversight of AR activity is allocated to a named Senior Manager. The FCA has increasingly focused on principal firms' SM&CR arrangements for AR oversight.

What Firms Get Wrong

The most pervasive failure is treating SM&CR as a static, one-off compliance exercise. Firms produce Statements of Responsibilities and responsibilities maps at implementation and then never update them. When organisational changes occur — new hires, departures, restructures, new product lines — the SM&CR documentation does not reflect reality. The FCA has found significant gaps between documented responsibilities and actual management structures.

The second common failure is in the Certification Regime. Firms either fail to identify all certification functions (particularly in areas like proprietary trading, algorithmic trading, or significant management) or conduct superficial annual assessments that amount to a tick-box exercise. The fitness and propriety assessment must be substantive — it should consider conduct rule breaches, complaints, competence, regulatory references, and criminal record checks.

Third, firms underestimate the scope of the conduct rules. The Individual Conduct Rules apply to all staff except ancillary staff (such as receptionists, security, and catering). Many firms have not trained all relevant staff on the conduct rules, do not monitor for breaches, and have no process for recording and investigating potential violations.

Fourth, handover arrangements are poorly managed. When a Senior Manager leaves or changes role, there should be a documented handover that ensures continuity of oversight. The FCA has criticised firms where departures create gaps in accountability — sometimes for months — before a successor is approved.

Finally, firms confuse delegation with abdication. A Senior Manager can delegate tasks but cannot delegate accountability. If a compliance failure occurs in their area of responsibility, the FCA will ask the Senior Manager what oversight they maintained — not whether they delegated the task to someone competent.

What Evidence the FCA Expects

The FCA expects up-to-date Statements of Responsibilities for every Senior Manager, clearly delineating their areas of accountability with no gaps or overlaps. For enhanced firms, a current responsibilities map must show how responsibilities are allocated across the senior management team and how prescribed responsibilities are assigned.

Certification records must demonstrate that every individual performing a certification function has been assessed as fit and proper and has a current, valid certificate. Assessment records should show what was considered and the basis for the firm's conclusion.

Conduct rule training records must show that all in-scope staff have received training, understand the rules, and know how to report breaches. Firms should maintain a breach register that records all reported or identified conduct rule breaches and the firm's response.

Regulatory reference records must be maintained for all SMF holders and certified persons, covering the preceding six years. When providing references for departing staff, firms must follow the regulatory reference template and disclose all relevant information, including conduct rule breaches and disciplinary action.

The FCA also expects evidence that SM&CR is embedded in governance. Board minutes should show discussion of SM&CR matters. HR processes should integrate fitness and propriety assessments. Recruitment, appraisal, and disciplinary procedures should all reference SM&CR obligations.

Good Implementation

A well-run firm treats SM&CR as living governance infrastructure. Statements of Responsibilities are reviewed whenever there is an organisational change and at least annually regardless. The responsibilities map is a working document that the board references when making decisions about accountability and oversight.

Senior Managers can articulate their responsibilities without referring to the document. They maintain evidence of the steps they take to discharge those responsibilities: attendance at committee meetings, review of MI packs, escalation decisions, and actions taken in response to identified risks. They understand that the duty of responsibility requires them to be proactive, not reactive.

The certification process is rigorous. Annual assessments are conducted in advance of certificate expiry, not retrospectively. The assessment draws on multiple data sources — performance reviews, complaints data, conduct rule breach records, CPD completion, and fitness and propriety declarations. Where concerns are identified, the firm investigates before deciding whether to re-certify.

Conduct rules are embedded in culture, not just policy. Staff understand what is expected of them and feel confident reporting concerns. The firm has a clear process for investigating potential breaches and takes proportionate disciplinary action where breaches are substantiated.

How Our Tool Helps

The MEMA SM&CR navigator provides a digital framework for managing your entire SM&CR obligation. It maintains live Statements of Responsibilities and responsibilities maps that can be updated in real time as your organisation changes. The tool flags when documents are overdue for review and highlights gaps or overlaps in responsibility allocation.

The certification module manages the annual cycle: tracking certificate expiry dates, prompting fitness and propriety assessments, recording assessment evidence, and generating certificates. It maintains a complete audit trail that demonstrates to the FCA that your certification process is substantive and timely.

Conduct rule training and breach recording are integrated, giving you a single view of compliance across all three SM&CR pillars. The regulatory reference module ensures that references are provided in the correct format with all required disclosures.

How Our Service Helps

Our SM&CR implementation service starts with a structural review of your firm's governance arrangements. We assess whether your SMF allocations are correct, whether prescribed responsibilities are properly assigned, whether certification functions are fully identified, and whether your conduct rules framework is adequate.

For firms that have implemented SM&CR but are unsure whether their arrangements are fit for purpose, we provide an independent health check. This is particularly valuable ahead of a supervisory visit or when the FCA has signalled sector-wide SM&CR reviews.

We also provide practical support for common SM&CR events: onboarding new Senior Managers, managing departures and handovers, conducting Section 166 readiness assessments, and preparing for regulatory interviews. Our team understands how the FCA approaches SM&CR supervision and can help your firm prepare accordingly.

Relevant Sectors

SM&CR matters across all regulated sectors, but the practical challenges differ. Wealth management firms typically have the most complex SM&CR arrangements, with multiple Senior Managers, extensive certification populations (including investment advisers and portfolio managers), and intricate responsibilities maps. The FCA has focused on whether wealth firms' SM&CR arrangements adequately capture oversight of investment suitability and client money.

Insurance brokers face particular challenges around the certification regime, as client-facing staff who arrange insurance often fall within the significant harm function criteria. The FCA has also scrutinised how broker principals allocate SM&CR responsibilities for appointed representative oversight — a growing area of regulatory focus.

Payment services firms and e-money issuers, while often smaller, must still maintain robust SM&CR arrangements. The FCA has highlighted concerns about SM&CR compliance in the payments sector, particularly where rapid growth has outpaced governance structures. Firms that have scaled quickly without updating their SM&CR documentation are vulnerable to supervisory challenge.

Across all sectors, the firms that face the greatest SM&CR risk are those undergoing change — mergers, acquisitions, rapid growth, or leadership transitions. These are the moments when gaps in accountability are most likely to emerge and when the FCA is most likely to ask questions.